Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Apache+PHP+ftp security
Date: Tue Mar 29 2005 - 15:17:50 CST
Well, I don't know if this is "the right" way, but I had this problem last week, too.
· Virtual FTP accounts (no system user, e.g. proftpd & mysql auth).
Restriction to homedir of the user.
· Apache compiled with suexec-min uid 1000. (1.3.x)
A new uid for each user (in the mysql db)
Every virtualhost is running under his own user.
(unfortunatly safemode must be off, running php through cgi would be a good idea for most domains)
Don't know, if this is a good way (any remarks?), but with this, i have no system user (neither ftp, nor httpd), every virtual domain with his own user (and due to gid the normal filesystem is not readable).
Suexec CGI ist working, changing from the homedir (/home/www/user1) to another (/home/www/user2) is not possible with php.
With safemode on (and perhaps a other ftpd) this should be safe, shouldn't it?
As i said, no idea if this is the right way :)
This is only for hosting a few friends on my root server.
Perhaps a few statements will comment this.